I am new to Jamf.
I am looking to start enrolling our mac fleet into Jamf Pro. (we have v 10.26).
We have AD on prem and bind Macs to a domain.
I have some questions:
Is it recommended to connect to Azure AD before or after enrolling our fleet?
Is there any downside to connecting to azure AD before enrolling the fleet?
Where does LDAP come in? (I understand version 10.27 is released this week which allows integration into Azure AD. Does this mean it will replace LDAP?
10.27 integrates with Azure AD and works the same way as LDAP within Jamf Pro, if you are at the point of rolling our your fleet then perhaps integrating with Azure AD would be a good thing to do now rather than later.
I've just done the integration to 10.27 on my MDM and the process was straight forward, you can then look into using custom enrolment and using Azure SSO during the setup process.
Are your currently using LDAP with ADFS? With 10.27, it doesn't appear you can use both LDAP and Azure AD Cloud Identity. See this note in the Jamf Administrator guide:
What is your ultimate goal with Azure AD integration? And what are you doing now with LDAP integration (if anything?) It really won't affect anything you are doing on the client computers related to binding. That will continue to function as before. What 10.27 adds is the ability to use Azure AD similar to what we can use LDAP for now in Jamf Pro (Jamf Pro Users, Scoping to AAD accounts and Groups.)
@RBlount - We are at the beginning so at this point its a case of getting going so trying to see if enrolling devices before or after has any benefits or downsides?
We have not integrated anything yet. Out ultimate goal is to have this as hassle free as possible and replace AD on prem and get modern. We will also at some point down the line purchase Jamf connect.
About LDAP with ADFS - I'll assume you mean do we have it set up already for our Macs with Jamf? If so then no. Or do you mean do we have LDAP setup for our PCs?
MFA Multifactor Auth could be a blocker if you use user-initiated Enrollment (as we do)
When Azure AD with multi-factor authentication enabled is added as the cloud identity provider, authentication workflows in Jamf Pro (e.g., Self Service and user-initiated enrollment) do not work for Azure AD user groups and accounts.
we wanted to use user-initiated Enrolment, and still waiting to integrate the Azure AD from our AD team, can you please point to a good workflow for user-initiated Enrolment? I can look into the Admin guide, but I'm guessing there is something somewhere that others used and is easier, or your workflow?
thanks in advance.
@pramodmac I do not know whether it is good, but:
We only order machines with DEP/ADE
We configured Enrollment customization und User initiated Enrollment with the AD/LDAP groups we want to allow Enrollment
We use PreStage Enrollment with Account creation-> with Pre-fill account information with device owner’s details so we end up at the Setup Assistant with the AD-account of the enrolling enduser
We followed the JNUC https://youtu.be/ep-81id3PvY Many thanks for the great video !
So the user unpacks the machine, connects to internet, authenticates and waits for the setup to be finished
Hope that helps
Btw: We do not bind anymore - we use the SSO Extension (distributed via MDM)
I was considering starting my own thread, but figure I'll try this one first.
I am trying to integrate AAD/ASM authentication for our Macs (running Catalina). We have on-prem Jamf Pro (running 10.28x), and a fully populated AAD tenant, as well as ASM. I have the ASM/AAD sync running successfully, creating users as desired in ASM. All our Macs are enrolled via DEP, but are NOT currently bound to any DS - just using local user accounts. What do I need to do to setup AAD authentication on the Macs themselves? @michaelhusar mentions an SSO extension - what exactly is that, and where do I lay hands on it? Or is that even what I need? Sorry, I've read quite a bit, and watched about half of that video, but it was spending a lot of time on LDAPS instead of Azure/SAML, and it seemed oriented to starting from scratch, which isn't my case. Any guidance greating appreciated!
@dmillertds Just to make sure I understand, you want to connect directly to Azure AD and not a local AD, correct?
If so, what are you goals for authentication? Do you just want to authenticate when the computer is enrolled? Do you want to have the user authenticate against their AAD accounts to create users? Do you want to keep their passwords sync'd between Azure AD and their local macOS account? Do you want them to authenticate against Azure AD each time they login?
If all you want to do is have the user authenticate during enrollment, you can setup SSO in Jamf Pro. For Automated Enrollments, you would need to create an Enrollment Customization (with an SSO pane.)
If you want to have your users log in to their computers with their Azure AD accounts, then you will need to purchase Jamf Connect. This will allow you to replace the existing login screen with an Azure login screen. Users can authenticate using their AAD credentials and create local users based on those AAD credentials. The Jamf Connect menu bar will also allow the users to keep their local password and AAD password in sync.
@RBlount thanks for your reply. The answer is we want to primarily use AAD creds to log into the Macs (i.e., your last paragraph). In all the reading I had done on MacOS/AAD integration (which was quite a bit), I never caught that you couldn't actually log into the Mac itself with those credentials. So that's on me for not parsing the fine print carefully enough (I should know better, especially with Apple - don't EVER assume anything!) It's astounding to me this is still the case in 2021, that you can't use a cloud IdP for MacOS without involving a 3rd party solution! I have had NoMAD/NoMAD Login working for a couple years, with some hiccups - guess we'll have to stick with that. Thanks again for setting me straight.